Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Desktop: Linux: Move keychain support behind an off-by-default feature flag #11227

Merged
merged 2 commits into from
Oct 17, 2024
Merged

Desktop: Linux: Move keychain support behind an off-by-default feature flag #11227

merged 2 commits into from
Oct 17, 2024

Conversation

personalizedrefrigerator
Copy link
Collaborator

Summary

This pull request is in response to a failure to decrypt saved keychain secrets on Fedora 40. It makes the following changes:

  • Makes the keychain read-only just after loading settings UNLESS the user has opted in to keychain support through a feature flag.
  • Updates versionInfo to not display Yes for "Keychain supported" if the keychain is in read-only mode.

With the keychain in read-only mode, new secrets will be saved as they were before the 3.1 pre-release (see #10535) but old secrets can still be read from the KeychainService.

Testing plan

Linux + Fedora 40

  1. Build a release version of Joplin and start it.
  2. Verify that Help > About Joplin shows "Keychain Supported" as "No".
  3. Trigger a settings save (e.g. change the editor layout).
  4. Verify that encryption. passwords are stored in the settings table in the database.
  5. Go to settings > general and check "enable keychain support".
  6. Restart Joplin.
  7. Verify that Help > About Joplin shows "Keychain Supported" as "Yes".
  8. Verify that encryption. passwords are no longer present in the settings table in the database.
  9. Verify that encryption. passwords are now present (encrypted) in the key_value table in the database.

Windows 11

  1. Start Joplin in dev mode.
  2. Open Help> About
  3. Verify that "Keychain Supported" is listed as "Yes".
  4. Under settings > general, verify that the "Enable keychain support" setting is not visible.
  5. Enable encryption and enter an encryption password.
  6. Restart Joplin.
  7. Verify that the keychain password is still saved.
  8. Start an existing install of Joplin.
  9. Enable E2EE if not already enabled and enter a password.
  10. Quit Joplin.
  11. Build a release version of Joplin and install it.
  12. Launch Joplin.
  13. Verify that the master password is still saved.
  14. Quit Joplin and launch JoplinPortable.exe
  15. Verify that under Help > About Joplin, "Keychain Supported" is listed as "No".

@personalizedrefrigerator
Desktop: Linux: Move keychain support behind an off-by-default featur…
83ceec2 
…e flag

This commit is in response to a failure to decrypt saved keychain
secrets on Fedora 40. It makes the following changes:
- Makes the keychain read-only just after loading settings UNLESS the
  user has opted in to keychain support through a feature flag.
- Updates versionInfo to not display Yes for "Keychain supported" if the keychain is in read-only
  mode.

With the keychain in read-only mode, new secrets will be saved to the
database (as they were in v3.0) but old secrets can still be read from
the KeychainDriver.
@personalizedrefrigerator
Update comment
15bc507
@laurent22
Copy link
Owner

That sounds like a reasonable workaround for this issue. We can enable the keychain by default once we better understand the issue. Maybe we could advertise this feature flag on the forum to ask Linux users to give it a try?

@laurent22 laurent22 merged commit 41b251d into laurent22:release-3.1 Oct 17, 2024
10 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@personalizedrefrigerator @laurent22